CVE-2026-35205
8.4
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| helm | helm | >= 4.0.0, < 4.1.4 | affected |
Weaknesses
- CWE-636: CWE-636: Not Failing Securely ('Failing Open')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary code execution due to insufficient plugin provenance verification
Additional References
- https://access.redhat.com/security/cve/CVE-2026-35205
- https://bugzilla.redhat.com/show_bug.cgi?id=2456927
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35205.json
- https://access.redhat.com/errata/RHSA-2026:26441
References
- https://github.com/helm/helm/security/advisories/GHSA-q5jf-9vfq-h4h7
- https://github.com/helm/helm/commit/05fa37973dc9e42b76e1d2883494c87174b6074f
- https://github.com/helm/helm/releases/tag/v4.1.4
- https://helm.sh/docs/topics/provenance/#the-provenance-file
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.